From 8eb76217d0137b7adad438f6c923310fbc1fc4c1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 19 Dec 2013 00:17:12 +0100 Subject: [PATCH] avcodec/interplayvideo: Check that enough data is available for opcode_0x7/8/D Fixes hypothetical use of uninitialized memory, no sample available Signed-off-by: Michael Niedermayer --- libavcodec/interplayvideo.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/libavcodec/interplayvideo.c b/libavcodec/interplayvideo.c index 645fc16e68..542fefe146 100644 --- a/libavcodec/interplayvideo.c +++ b/libavcodec/interplayvideo.c @@ -197,6 +197,11 @@ static int ipvideo_decode_block_opcode_0x7(IpvideoContext *s, AVFrame *frame) unsigned char P[2]; unsigned int flags; + if (bytestream2_get_bytes_left(&s->stream_ptr) < 4) { + av_log(s->avctx, AV_LOG_ERROR, "too little data for opcode 0x7\n"); + return AVERROR_INVALIDDATA; + } + /* 2-color encoding */ P[0] = bytestream2_get_byte(&s->stream_ptr); P[1] = bytestream2_get_byte(&s->stream_ptr); @@ -236,6 +241,11 @@ static int ipvideo_decode_block_opcode_0x8(IpvideoContext *s, AVFrame *frame) unsigned char P[4]; unsigned int flags = 0; + if (bytestream2_get_bytes_left(&s->stream_ptr) < 12) { + av_log(s->avctx, AV_LOG_ERROR, "too little data for opcode 0x8\n"); + return AVERROR_INVALIDDATA; + } + /* 2-color encoding for each 4x4 quadrant, or 2-color encoding on * either top and bottom or left and right halves */ P[0] = bytestream2_get_byte(&s->stream_ptr); @@ -477,6 +487,11 @@ static int ipvideo_decode_block_opcode_0xD(IpvideoContext *s, AVFrame *frame) int y; unsigned char P[2]; + if (bytestream2_get_bytes_left(&s->stream_ptr) < 4) { + av_log(s->avctx, AV_LOG_ERROR, "too little data for opcode 0xD\n"); + return AVERROR_INVALIDDATA; + } + /* 4-color block encoding: each 4x4 block is a different color */ for (y = 0; y < 8; y++) { if (!(y & 3)) {